Continuing our trend of testing all the CVEs that come out that may affect the Linux distributions covered by our Extended Lifecycle Support, the team went to work on CVE-2021-22922 and CVE-2021-22923.
These vulnerabilities affect curl, a piece of software that has been around for many years, included as a component in multiple different applications and distributions and is just a great and useful data transfer tool. It supports different protocols, encryption mechanisms and architectures, and this versatility has even garnered it the distinction of being used outside of planet Earth. It is part of the software stack in a Martian rover.
This publicity, however, seems also to have attracted the attention of security researchers. And we're glad they did look at it because new vulnerabilities are being discovered for curl on very old code that has been in use for decades and assumed correct for all this time. Just this week, another vulnerability was divulged, and it was present in code that’s over 20 years old. In the IT world, that is like finding a living dinosaur roaming the streets today.
Looking at CVE-2021-22922 and CVE-2021-22923, they are related to an option included in curl, "--metalink". This feature lets a server instruct a client (in this case, curl) on alternative locations where to find a given piece of content. For example, to facilitate content distribution by pointing a client, transparently, to a mirror geographically closer to them.
It turns out that, for CVE-2021-22922, if a mirror for a given file was compromised and the file's content replaced by something else, curl would still download the tampered file, even if it no longer matched the hash for the content that is present in the metalink list. Therefore, this flaw could lead to malicious content being downloaded, catching the user unaware.
CVE-2021-22923 describes a vulnerability around how the credentials used to download the original metalink information could be inadvertently and wrongly sent to the mirror server. This could lead to the unauthorised disclosure of said credentials.
Both vulnerabilities are not, presently, known to have public exploit code.
Additionally, the TuxCare Team has determined that the curl versions included in the supported systems under its Extended Lifecycle Support are NOT affected by these vulnerabilities, and thus do not require any patches to deal with them specifically. EL6's curl does not have this option, and in Ubuntu it is disabled by default.
If you're interested in knowing more about the Extended Lifecycle Support, or other TuxCare services, you can find more information here.
The TuxCare Team continues to test all the vulnerabilities so that you don't have to - taking care of Linux's security while you focus on your business' needs.